Age | Commit message (Collapse) | Author | Files | Lines |
|
For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix
C). Chaining IVs like is done by ipsecmb and native backends for the
VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable.
Encrypt a counter as part of the message, making the (predictable)
counter-generated IV unpredictable.
Fixes: VPP-2037
Type: fix
Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I56c4682aef59ed0e69073f9001341c425e65bd48
(cherry picked from commit 595724a49072b30356e365ce78a3cc815980d342)
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ibe32f7965f8cf457c39845713b029c8a4647ee55
(cherry picked from commit c53eb72931bc8c75204141f3952ac7682f0ae697)
|
|
Type: improvement
Signed-off-by: jxm <jiangxiaoming@outlook.com>
Change-Id: I80a51e841f9727b68d1de713b6b6d51675ef53c5
(cherry picked from commit 975fde82b11307180b3df7dc9b5b1b496f207a08)
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ied2608e7a28c59c908803ca676abbe93072fadb8
(cherry picked from commit ba02641cc7a27ff02aca65036ffc4bd003497f0b)
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I338e61654a62ed6308ecd8bb15e1a8b13cd859b9
(cherry picked from commit 41a6fbada173b2733ca3b43bf620d6a9634c50da)
|
|
TCP and (D)TLS clean up half-opens on main without a lock/barrier so
cleanup initiated from first worker, e.g., cut-throughs, can corrupt the
session pool.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I2e5162831c0e201b22454f17fe55bfac44b85fa9
(cherry picked from commit 6bd54caf46aaa68dddbae6161688d428ce60550b)
|
|
The path pool can expand during in fib_path_attached_next_hop_get_adj()
when calling adj_nbr_add_or_lock(). If dpo points to a path->fp_dpo, its
reference becomes stale.
Use a temporary copy instead.
Type: fix
Change-Id: Ie966cb5f3f7b416425964dca12f1f586bfc2010c
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit e9d7b0982d7bd189097260b6581abff472da251a)
|
|
The adj can be deleted during fib_walk_sync(), make sure it can happen
only after clearing the SYNC_WALK_ACTIVE flag.
Type: fix
Change-Id: I68be00e9602e2783d9dced71c51547c38b7e8a00
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit 9f10edbb46dc1937ed99469a581723cb1ac1ff45)
|
|
When both chained and non-chained buffers are processed in the same
vector, make sure the non-chained buffers are processed as non-chained
crypto ops.
Type: fix
Change-Id: I19fc02c25a0d5e2e8a1342e2b88bbae3fe92862f
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit e631ece4aa32b33651ed458200ab551ffb8fbb47)
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I99af136ecab9be1f9e00de6d197b8f1c74ab4b20
(cherry picked from commit 821b5002bf5cd18e1ec7750ff1b6fb379b241869)
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ia46b0b8afed30f84b244c06f0457303f9e8832cd
(cherry picked from commit 67c90a32b7ad0c5a38c483ce849cc7a231e7ba54)
|
|
Unless a software interface is actually unnumbered, do not set
ip[46]_main.lookup_main.if_address_pool_index_by_sw_if_index [sw_if_index]
to ~0
Fixes this scenario:
loop create
set int state loop0 up
create sub-interface loop0 1
set interface ip addr loop0.1 192.168.1.1/24
delete sub-interface loop0.1
set int ip addr loop0 192.168.1.1/24
Type: fix
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I46141d862fa57d70b93d7bb0c105403708165264
(cherry picked from commit 64d20e76b9108c9158b2b538cd2312d740f48103)
|
|
a uRPF check on a for-us packet is done in the correct VRF
Type: fix
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Iafa6efea0d96962aa9136dccefc148a961f74476
|
|
Type: feature
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ic5e99938a5f130e83de6d590d2f89252d055bceb
|
|
Type: improvement
Change-Id: Idb48f835730db6c652c4b0e6ef310c7f36599a72
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Avoid grabbing the worker barrier if there's no work to be done.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ice3de5df41cd1752aba3419ad2e2dd82f30e9bfb
|
|
Type: improvement
Change-Id: I873a99c1258a97ed5ed195b9756e8302f865e7f0
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
The same value is used for other tunnel types.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I6593001918993d65f127cc9f716c95e932239842
|
|
Type: fix
If a GRE tunnel is created and the peer is not resolved yet and an
IPv6 route is added which points to the tunnel, packets matching the
route will be dropped. When the tunnel peer is resolved, adjacencies
on the tunnel interface should be restacked and packets matching the
route can be encapsulated and sent..
There is a loop that is intended to do this for both IPv4 and IPv6.
The call to walk adjacencies is invoked in a "return" statement though.
So the loop is exited and the function returns before IPv6 adjacencies
are walked.
Remove the return so the loop finishes.
Change-Id: Ia4f695681713020209ea490ae4142857cea49c41
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I7c47b55ec6f0c83f2d13e0e737d0559a32f7c837
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I47d241a8f2f9e9d0761d14dcddd3327c3b28932c
|
|
Type: refactor
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I750c856ac81d951e8c0e62c710e0f35a0c80d6f9
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ie4e3623e7e00456437fac5fb8f9c9083f1aa2a2e
|
|
Type: improvement
Change-Id: I6bb7b6d6bd63b044952ab981be5b0673144c9834
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Iecc33fda7f28c037289775ffe0525a50f89a2b8c
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ie8a15c50531f3ccd5f91dbc0779e4d9c0d146844
|
|
Avoids dispatching ctrl events generated while handling the
current pending list.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ibeaf901ba4cf58a68fbd88e5ec3c23f6c2f6f145
|
|
Type: refactor
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I10ec410fb7f3acb47128dda23510162dc13b20d0
|
|
Type: fix
virtio uses indirect descriptors for chain buffers.
indirect descriptor chain is mapped on a vlib_buffer_t.
Single descriptor is 16 bytes and vlib_buffer_t has
2048 bytes space. So maximum long chain can have
128 (=2048/16) indirect descriptors.
This patch adds check to make sure descriptors chain
len should not exceed 128.
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I060cfb7709568f42c9b5634527172690ce66a1a3
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ifa47e1500e5cfb3c717f87b1d21131b9531c9005
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I24484a5192d7e683507ed640f75fb37914c0efb0
|
|
Half-open sessions are allocated by main thread and cleaned up on main
with timers.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I37f000920a45908b62b5501ae9d54a88a9e4c609
|
|
Mechanical change for patch following this one...
Type: improvement
Change-Id: Iee12f3a8851f35569e6c039494a94fc36e83d20f
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I59eb41516b5e052109428ae70660ed49126c25bb
Type: fix
Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
|
|
Fixes issue which causes crash in case when VPP only runs with main thread.
Type: fix
Change-Id: Ia0ca973bb7e7ff81f15b37764ae248e2502bdcec
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I7f9c4b9b6e523ab549087ad21724f34f08fca793
|
|
Also adds support for half-open support transport migration.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Id04c194138956336f93246bbed0332a7030c67e2
|
|
Type: fix
Change-Id: I5ce7e57ae277de26af602fe786048bf21b8612f8
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
- Generate copyright year and version
instead of using hard-coded data
Type: refactor
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I6058f5025323b3aa483f5df4a2c4371e27b5914e
|
|
This patch fixes a vxlan vni field conversion bug in flow api layer
Type: fix
Signed-off-by: Chenmin Sun <chenmin.sun@intel.com>
Change-Id: I37b2ffb54792f48b390ff42da577db2c4869d253
|
|
Half-open tls sessions are now tracked by the app worker and are cleaned
up only when tcp cleans up its half-open session, i.e., independent of
when the established tls context is allocated.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: If5d594d7095192dd527daf4ea1358ffeccdfcc7a
|
|
App transports not supported for now. Will have to be updated
individually.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I75cb6c4e1c5af008af72858a9ee573016812abd4
|
|
Some app(e.g. Envoy) may call shutdown() instead of close() when
draining connection.
Type: improvement
Signed-off-by: liuyacan <liuyacan@corp.netease.com>
Change-Id: I9543b9ca3caa87b10b134fd1fc4019124e41e4d2
|
|
Change-Id: I248ef12fd34ea2a1c383fbcc530a8ffeb31ba92b
Type: fix
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
|
|
Type: improvement
Change-Id: I415b2f980de10ca3154d2c8677c24792453eccd0
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
Signed-off-by: hemant_mnkcg <hemant@mnkcg.com>
Change-Id: I097815617053dac09de7ad3092b3d3071770114f
|
|
Use half-open sessions to track virtual circuit connection
establishment. These sesssions can only be allocated and freed by the
thread that allocates half-open connections (main). Consequently, they
can only be freed on half-open cleanup notifications from transports.
Goal is to simplify state tracking within the session layer but it's
also a first step towards allowing builtin apps to track and cleanup
outstanding connects.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I8a535906d13eb7f8966deb82333839de80f8049f
|
|
Type: fix
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I86b940384a6898d4cb04f3decf30996c94b43d07
|
|
When vhost and another interface, say tap, are configured for interrupt
mode, performance number may be very low from vhost.
Further analysis discovers that when vhost posts an interrupt to the
RX infra, there is a 10 msec delay in waking up its input routine.
The delay is due to vhost posts the interrupt from the main thread
which tries to wake up the worker thread.
The fix is for vhost to move the posting interrupt call to the
corresponding input worker thread by calling
vnet_hw_if_set_rx_queue_file_index() to set it up.
While at it, streamline the function vhost_user_kickfd_read_ready()
since it will be called from the worker thread.
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I9beedcd33e1558c8335da4ee7fadc51c29ee4589
|